Author Topic: DCOM exploit  (Read 12917 times)

0 Members and 1 Guest are viewing this topic.

Mark2234

  • Guest
DCOM exploit
« on: August 28, 2010, 08:04:55 PM »
Hi,

I have been using Avast for more than a year now and have never had this happen before. Every 30 minutes or so, regardless of what I am doing on my laptop, a message will come up saying that a DCOM exploit was stopped.

A bit of background info may be of use:
- The laptop was recently infected with Vundo
- With the help of a kind member at MBAM forums we think we managed to sort it out with Combofix
- Following the virus removal, AntiMalwareBytes deep scan comes back clean, and..
- Windows Defender scan comes back clean, and..
- Spybot Search and Destroy combes back clean (apart from a couple of relatively harmless cookies sometimes), and..
- Avast deep scan and boot scan come back clean (apart from what I have been told is a false positive in C:\hp\bin\endprocess.exe)
- Comboxfix scan comes back clean

I have since made the following alterations/additions:
- Installed Online Armour firewall (and disabled windows firewall)
- Installed Spyware Guard
- Removed all old versions of Java and updated to latest
- Added MVPS hosts file list
- Updated all software mentioned above

Any ideas what may be causing it? What can I do to stop it from happening?

Thanks,

Mark

spg SCOTT

  • Guest
Re: DCOM exploit
« Reply #1 on: August 28, 2010, 08:17:00 PM »
Hi Mark, welcome to the forum :)

From what I have read here, avast! is doing it's job, and preventing the attack from succeeding. 

I will steal a more knowledgeable user's answer here:

You're welcome.

DCOM Attacks are speculative, not targeted and tries to exploit a vulnerability in out of date OS, if your OS is up to date then you aren't vulnerable to the exploit. That doesn't stop them (usually someone from the same ISP with an infected computer) trying to see if it can infect others.
 
Your firewall should be the first line of defence in this, but avast also monitors common attack ports using the Network Shield, ideally the firewall should block it and avast wouldn't know about it, but for whatever reason avast is first in line over your firewall.


-Scott-

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 76037
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: DCOM exploit
« Reply #2 on: August 28, 2010, 08:23:50 PM »
From what I have read here, avast! is doing it's job, and preventing the attack from succeeding. 

Still the firewall should have blocked it before avast...!!
asyn
W8.1 [x64] - Avast Free AV 23.3.8047.BC [UI.757] - Firefox ESR 102.9 [NS/uBO/PB] - Thunderbird 102.9.1
Avast-Tools: Secure Browser 109.0 - Cleanup 23.1 - SecureLine 5.18 - DriverUpdater 23.1 - CCleaner 6.01
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37507
  • Not a avast user
Re: DCOM exploit
« Reply #3 on: August 28, 2010, 08:30:03 PM »

spg SCOTT

  • Guest
Re: DCOM exploit
« Reply #4 on: August 28, 2010, 08:31:58 PM »
From what I have read here, avast! is doing it's job, and preventing the attack from succeeding. 

Still the firewall should have blocked it before avast...!!
asyn

Yes, but if you read the quote from DavidR, it appears that avast! beats the firewall to it...at least that is how I understand it.

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37507
  • Not a avast user
Re: DCOM exploit
« Reply #5 on: August 28, 2010, 08:36:23 PM »
Quote
Your firewall should be the first line of defence in this, but avast also monitors common attack ports using the Network Shield, ideally the firewall should block it and avast wouldn't know about it, but for whatever reason avast is first in line over your firewall.
Quote
Yes, but if you read the quote from DavidR, it appears that avast! beats the firewall to it...at least that is how I understand it.
So if you turn on your router firewall, you want see this ?
« Last Edit: August 28, 2010, 08:38:01 PM by Pondus »

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 76037
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: DCOM exploit
« Reply #6 on: August 28, 2010, 08:37:50 PM »
Yes, but if you read the quote from DavidR, it appears that avast! beats the firewall to it...at least that is how I understand it.

A good firewall shouldn't be 'beaten' by an AV. (or it's setup is faulty)
Or does the OP use AIS..? As he doesn't refer to which program pops up with this message...
Is it avast after all..??
asyn
W8.1 [x64] - Avast Free AV 23.3.8047.BC [UI.757] - Firefox ESR 102.9 [NS/uBO/PB] - Thunderbird 102.9.1
Avast-Tools: Secure Browser 109.0 - Cleanup 23.1 - SecureLine 5.18 - DriverUpdater 23.1 - CCleaner 6.01
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88897
  • No support PMs thanks
Re: DCOM exploit
« Reply #7 on: August 28, 2010, 08:48:41 PM »
DCOMbobulator
http://www.grc.com/freeware/dcom.htm

Won't make a blind bit of difference as it doesn't stop the external attempt (which the network shield willl detect, if not done by the firewall) as this is an internal tool.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

spg SCOTT

  • Guest
Re: DCOM exploit
« Reply #8 on: August 28, 2010, 08:53:26 PM »
Yes, but if you read the quote from DavidR, it appears that avast! beats the firewall to it...at least that is how I understand it.

A good firewall shouldn't be 'beaten' by an AV. (or it's setup is faulty)

Or maybe avast! is just that good ;)
I presume that in OA, you could create a rule that blocks that port completely. That would do it I supppose...or the router firewall might, as Pondus suggests?
Quote
Or does the OP use AIS..? As he doesn't refer to which program pops up with this message...
Is it avast after all..??
asyn
I's guess either Free or Pro...since the OP says they have Online Armour installed.

-Scott-

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 76037
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: DCOM exploit
« Reply #9 on: August 28, 2010, 09:01:22 PM »
1. Or maybe avast! is just that good ;)
2. I presume that in OA, you could create a rule that blocks that port completely. That would do it I supppose...or the router firewall might, as Pondus suggests?
3. I's guess either Free or Pro...since the OP says they have Online Armour installed.

1. It sure is very good, as it blocks DCOM, which should have been blocked by the firewall.
But as said, the FW should block it first...!!!
2. True and yes.
3. Let's wait for a reply, I saw some rather confused users here already... ;)
asyn
W8.1 [x64] - Avast Free AV 23.3.8047.BC [UI.757] - Firefox ESR 102.9 [NS/uBO/PB] - Thunderbird 102.9.1
Avast-Tools: Secure Browser 109.0 - Cleanup 23.1 - SecureLine 5.18 - DriverUpdater 23.1 - CCleaner 6.01
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88897
  • No support PMs thanks
Re: DCOM exploit
« Reply #10 on: August 28, 2010, 09:07:52 PM »
The order things would run would I guess be down to windows and may or may not have to do with which was installed first, but it is a bit like black magic as there doesn't appear to be any reasoning in it.

Blocking the port in OA would be the same as using decombobulator, since avast is getting in first it would alert before the OA block (or decombobulator) got a look in.

@ Mark2234
If you have avast 4.8 I would suggest now would be a good time to update to avast 5.0, if you already have avast 5.0 then, all I can suggest is that you leave OA installed and do a clean reinstall of avast:
This assumes you are using the free version of avast - Download the latest version of avast, 5.0.594 http://www.avast.com/free-antivirus-download and save it to your HDD, somewhere you can find it again (if you didn't save your last download). Use that when you reinstall.

- Download the avast! Uninstall Utility, aswClear5.exe find it here and save it to your HDD (it has uninstall tools for both 4.8 and 5.0).
  • 1. Now uninstall (using add remove programs, if you can't do that start from the next step), reboot.
  • 2. run the avast! Uninstall Utility from safe mode, first for 4.8 if previously installed and then for 5.0, once complete reboot into normal mode.
  • 3. install the latest version, reboot.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Mark2234

  • Guest
Re: DCOM exploit
« Reply #11 on: August 30, 2010, 05:26:58 AM »
Thanks for your input everyone, and sorry for the delayed reply! Unexpectedly busy the last couple of days.

Anyway, I had the latest Avast, the free version currently (as well as all windows updates which I think I forgot to mention). I have uninstalled via David's instructions and reinstalled. I will let you know if the DCOM exploit warnings continue!

Thanks,

Mark

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88897
  • No support PMs thanks
Re: DCOM exploit
« Reply #12 on: August 30, 2010, 04:17:18 PM »
You're welcome, good luck.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Mark2234

  • Guest
Re: DCOM exploit
« Reply #13 on: August 31, 2010, 04:50:08 AM »
Unfortunately I'm still getting a few of the messages! Any ideas?

Gargamel360

  • Guest
Re: DCOM exploit
« Reply #14 on: August 31, 2010, 05:05:58 AM »
Do you use a router w/firewall, or are you hooked directly to cable modem?

An external firewall might help, provided you don't already have one.